Enable WAS to use Tivoli Access Manager for authentication
WAS can use the Tivoli Access Manager for authenticating users only when the following LDAP directory servers are used as the user registry:
- IBM Directory Server
- Sun ONE directory server
- Lotus Domino Enterprise Server
- Novell Directory Server eDirectory
- Microsoft Windows Active Directory
- z/OS LDAP Server
When one of these directory servers is used as the registry, you can use the Tivoli Access Manager to authenticate users instead of directly binding to the LDAP registry by accepting the password and the account policies set in the Tivoli Access Manager. The following steps explain how to set a property in the LDAP custom properties section when enabling security.
- Verify that the PDJrteCfg and SvrSslCfg commands have been run
- Select the LDAP user registry by clicking...Administrative console | Security | User Registries | LDAP
Confirm that you selected one of the supported LDAP directory servers listed previously.
- On the LDAP user registry page, select the Use Tivoli Access Manager for Account Policies check box in the administrative console. Tivoli Access Manager authentication is valid only when you select LDAP. The login polices set in Tivoli Access Manager are honored only when the user logs in with a password. The login policies, however, are not honored when a user logs in without a password (If the user uses X.509 certificates instead of passwords, for example). For more information see Tivoli Access Manager documentation .
- If you create groups using Tivoli Access Manager, add the objectClass=accessGroup value to the IBM_Directory_Server group filter.For example the following code is one continuous line...This addition is required because by default, the Tivoli Access Manager creates the accessGroup object class and uses it for all the groups it creates. The default WebSphere Application Server LDAP filters only look for the groupOfNames or groupOfUniqueNames object classes. If this change is not made, authorization problems result when groups are assigned to roles.(&(cn=%v)(|(objectclass=groupOfNames)(objectclass=accessGroup) (objectclass=groupOfUniqueNames)))
If the groups are first created in the IBM_Directory_Server registry and then imported into the Tivoli Access Manager, you do not need to change the filters because the groups have the object classes that the WAS requires.
- Enable security. If security is already enabled, save these changes and restart the servers for the Tivoli Access Manager authentication to take effect.
Tivoli Access Manager Documentation
To instructions on how to configure Tivoli Access Manager check out:
See AlsoConfiguring WAS to use Tivoli Access Manager for authentication
Configuring global security
Tivoli Software information center